Skip to content

Add SafeSkill security badge (50/100 — Use with Caution)#119

Closed
OyaAIProd wants to merge 1 commit into
cmeans:mainfrom
OyaAIProd:safeskill-scan-1778033369282
Closed

Add SafeSkill security badge (50/100 — Use with Caution)#119
OyaAIProd wants to merge 1 commit into
cmeans:mainfrom
OyaAIProd:safeskill-scan-1778033369282

Conversation

@OyaAIProd
Copy link
Copy Markdown

@OyaAIProd OyaAIProd commented May 6, 2026

🟠 SafeSkill Security Scan Results

Metric Value
Overall Score 50/100 (Use with Caution)
Code Score 50/100
Content Score 78/100
Findings 7 findings detected
Taint Flows 0
Files Scanned 0
Scan Duration 0.1s

Top Findings

View full report on SafeSkill

About SafeSkill

SafeSkill is a free, open-source security scanner for AI tools, MCP servers, and Claude Code skills. We scan for code exploits, prompt injection, and data exfiltration risks.

False positive? We take accuracy seriously. If any finding above is incorrect, please open an issue and we will fix it immediately.

@OyaAIProd
Add SafeSkill security badge (50/100)
8c2b6aa 
Signed-off-by: SafeSkill Scanner <mk@oya.ai>
@cmeans-claude-dev
Copy link
Copy Markdown
Contributor

cmeans-claude-dev Bot commented May 6, 2026

Closing.

This is a copy of cmeans/mcp-synology#74, filed by the same author from the same SafeSkill template. The mcp-synology version was closed without engagement five days ago; this one will follow the same path. The findings don't survive scrutiny:

  • The headline 50/100 "Use with Caution" score is driven primarily by "Inconclusive: scanner found no analysable source files" with Files Scanned: 0. mcp-clipboard is a Python project. A scanner that doesn't analyze the language the project is written in, then caps the score and presents it as a security signal, is reporting on its own coverage gap, not on the project. Asking the maintainer to display that score as a badge is asking us to advertise the scanner's blind spot.
  • The "indirect injection vector" findings flag https://raw.githubusercontent.com/cmeans/mcp-clipboard/main/... URLs in README.md. Those are the project's own hosted icons. Self-hosted asset URLs in a project's own README are not an injection vector under any reasonable threat model; flagging them as such is a methodology problem.
  • Filing the same auto-generated template, unchanged, against multiple repos owned by the same maintainer — including one already declined — is drive-by, not review. There's no engagement with what either project actually does.

If SafeSkill wants to be taken seriously by Python MCP-server maintainers, the bar is: read the source, produce findings that survive a five-minute review, and don't ask for promotional placement based on numbers the scanner couldn't compute. Not interested.

@cmeans-claude-dev cmeans-claude-dev Bot closed this May 6, 2026
@cmeans-claude-dev cmeans-claude-dev Bot mentioned this pull request May 6, 2026
Merged
4 tasks
cmeans-claude-dev Bot added a commit that referenced this pull request May 6, 2026
@cmeans-claude-dev @claude
chore: release v2.5.0 (#124)
4c33674 
Release v2.5.0. Aggregates the four PRs since v2.4.0 (2026-05-05).

## Scope

### Added
- **#120 — register with the MCP Server registry** (closes #114). New
`server.json` (root) carries the registry manifest;
`scripts/sync-server-json.py` is the single-source-of-truth sync from
`pyproject.toml`'s `[project].version` to `server.json`'s two version
fields. New composite action `.github/actions/install-mcp-publisher`
pins `mcp-publisher` to `v1.7.6+` for the post-2026-04-30 OIDC audience
requirement. CI gains `version-sync` + `validate-server-json` jobs;
`publish.yml` gains a release-time `validate-server-json` gate (now
`needs:` of `publish-pypi`) and a new `publish-registry` job that runs
after `publish-pypi`. **This release is the first to fire
`publish-registry`, registering `io.github.cmeans/mcp-clipboard` for the
first time.** Subsequent releases update the entry in place.
- **#121 — `clipboard_copy_markdown` tool** (closes #109). Renders a
markdown source to HTML via `markdown-it-py` (with raw HTML escaped,
safe by construction) and writes both `text/html` (rendered) and
`text/plain` (the markdown source) to the clipboard. macOS and Windows
write both formats atomically (NSPasteboard / `DataObject`); Wayland and
X11 are single-MIME-per-call and write `text/html` only — Wayland's
`wl-copy` auto-advertises `text/plain` whose bytes are the rendered HTML
markup, X11 has no `text/plain` target. Adds `markdown-it-py>=3.0` as a
new runtime dependency (pure Python, ~250 KB, no native deps).
- **#122 — PRIMARY-selection support on read tools** (closes #110).
`clipboard_paste`, `clipboard_read_raw`, and `clipboard_list_formats`
now accept an optional `selection` argument (`"clipboard"` default,
`"primary"` for the X11 PRIMARY / Wayland primary middle-click
selection). macOS and Windows have no PRIMARY analog and return a clear
error if `"primary"` is passed. Public APIs `read_clipboard`,
`list_clipboard_formats`, and `read_clipboard_image` gained the same
`selection` parameter.

### Closed without engagement
- **#119 — SafeSkill drive-by scanner promotion.** Closed as duplicate
of an identical filing on cmeans/mcp-synology. Same auto-template hit
both repos; the methodology has gaps (`Files Scanned: 0` on Python
projects, then asks for a promotional badge).

## Verification

- `uv run pytest -q`: **599 passed**, 19 deselected, 5 xfailed.
- `uv run ruff check src/ tests/ scripts/`: clean.
- `uv run mypy src/`: clean.
- `python scripts/sync-server-json.py --check`: server.json in sync with
pyproject.toml (2.5.0).
- `uv build --wheel`: builds `dist/mcp_clipboard-2.5.0-py3-none-any.whl`
successfully.
- All four landing PRs were QA-approved on `main` with green CI before
this aggregation.

## Release commit shape

Three-file diff: `pyproject.toml` (2.4.0 → 2.5.0), `CHANGELOG.md`
(header roll, no other content changes), and `server.json` (synced via
`scripts/sync-server-json.py` per the new release flow introduced in
#120). The `version-sync` CI gate verifies the sync is correct before
merge.

## Tag plan

After this PR merges, push `v2.5.0` tag to trigger `publish.yml`:

1. `validate-server-json` — schema check against the live registry.
2. `publish-pypi` — uploads `mcp_clipboard-2.5.0-py3-none-any.whl` +
sdist to PyPI via OIDC trusted publisher.
3. `publish-registry` — registers `io.github.cmeans/mcp-clipboard` in
the official MCP registry. **First-run.**
4. (no `github-release` job yet — that's a future-port from mcp-synology
if/when it's worth the diff.)

The `[Unreleased]` section is now empty, ready for the next cycle.

## Test plan

- [x] CI green across `lint`, `typecheck`, `test (3.11/3.12/3.13)`,
`integration-x11`, `version-sync`, `validate-server-json`.
- [x] `uv build --wheel` succeeds locally on a clean checkout (verified
pre-PR).
- [ ] Tag push triggers `publish.yml` and the PyPI release lands.
- [ ] `publish-registry` job lands green on the first run; `curl -s
'https://registry.modelcontextprotocol.io/v0/servers?search=mcp-clipboard'`
returns a hit afterward.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Co-authored-by: cmeans-claude-dev[bot] <272174644+cmeans-claude-dev[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@OyaAIProd